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REMARKS 

Applicants have thoroughly considered the Examiner's remarks in the September 14, 
2007 Office action and have amended the application to more clearly set forth aspects of the 
invention. This Amendment A amends claims 1, 6-7, 9, 1 1, and 17-22. No new matter has been 
added. Claims 1-22 are thus presented in the application for further examination. 
Reconsideration of the application as amended and in view of the following remarks is 
respectfully requested. 

Claim Rejections Under 35 U.S.C. §101 
Claims 18-22 stand rejected under 35 U.S.C. §101 for being inclusive of data signals that 
are not statutory subject matter. Applicants disagree, and assert that carrier waves, data signal, 
and other intangible, communications media are statutory subject matter. A signal encoded with 
functionality descriptive material is similar to a computer readable medium encoded with 
functionally descriptive material, both of which arc capable of a functional interrelationship with 
a computer. To advance prosecution, however, Applicants have amended claims 18-22 to recite 
"computer storage medium" which is supported by paragraph 56 of the Application. Hence, the 
rejection of claims 18-22 under 35 U.S.C. §101 should be withdrawn. 

Claim Rejections Under 35 U.S.C. §102 

Claims 1-22 stand rejected 35 U.S.C. § 102(b) as being anticipated by US Patent Pub. No. 
20020004773 to Xu et al. Applicants respectfully submit that Xu fails to disclose or suggest 
each and every element of amended claim 1 . 

Amended claim 1 recites, in part, "receiving a request from a user for access to the 
web service, said request including the user certificate;... comparing the user certificate data 
included in the user certificate to the revoked certificate data stored in the central location; 
authenticating the user if the comparing indicates that the user certificate data matches the 
revoked certificate data in the central location; providing the user access to the requested web 
service when the user is authenticated; if the comparing indicates that the user certificate 
data from the requested user certificate does not match the revoked certificate data stored 
in the central location: 

authenticating the user; 
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providing the user access to the requested web service; 

identifying an address from the user certificate data included with the request, said 
address identifying the location of revoked certificate data for a plurality of revoked 
certificates being maintained by at least one of the plurality of certificate issuers; and 

storing the address in the central location for subsequent retrieval." 

Aspects of the invention improve on existing implementations of certificate management 
by providing a central location for storing a plurality of revoked certificates for providing the 
revoked certificates to a user upon request. In addition, in the event that a user's request does not 
match any of the plurality of revoked certificates in the central location, embodiments of the 
invention nevertheless authenticate the user certificate and allow the client to access the 
requested application per the user request. Embodiments of the invention further parse the data 
included in the user certificate 325 to identify an address, such as the CDP (e.g., URL address) 
and store the identified CDP in the database for subsequent retrieval by fetching servers. See 
also paragraphs [0040] and [0050-005 1]. This is beneficial for maintaining a most up-to-date 
revoked certificate database for authenticating the user. 

To the contrary, Xu is silent with respect to the authenticating the user in the event that 
the user data is not found in the revoked certificate. See also FIGS. 2, 3 and 8. Xu also could 
not anticipate embodiments of the invention as recited in amended claim 1 because Xu also 
specifies that in the event one wishes to receive a latest revoked certificate, one needs to actively 
to obtain such certificate. 

[0076] 4. RFC1424 retriever agent 

[0077] As we discussed in the above 3, RFC1424 CRL 
retrieval service is provided through mailboxes maintained 
by each CA's PCA. If you want to get a CA's latest CRL, 
you need to register with the PCA or send a CRL-retrieval 
request to the PCA's mailbox. The PCA will send you a 
CRL-retrieval reply message containing the requested CRL. 
Both CRL-retrieval request message and CRL-retrieval 
reply message are a type of Privacy-Enhanced Mes- 
sage(PEM). So you must have a mailbox and a PEM user 
agent to send CRL-retrieval request messages and to receive 
CRL-retrieval reply messages. 

This further complicates the entire certificate authentication process and thus cannot 
anticipate embodiments of the invention. Furthermore, Xu teaches away from authenticating in 
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the event that a user's request does not match any of the plurality of revoked certificates in the 
central location. Instead, Xu teaches using an API call to request the CRL from the CRL 
database and "ascertain whether the certificate is listed in the CRL and return the result to 
the e-Commerce application." Xu, paragraph [0047]. In other words, if the CRL is listed, the 
API returns the requested CRL; if the CRL is not present in the database, the result indicates a 
failure to retrieve the CRL from the database and the e-Commerce application's access is denied 
when there is no match. Thus, it would not be obvious to combine Xu with other prior art that 
generally teaches authentication since Xu teaches away from such authentication when there is 
no match. Therefore, the rejection of claim 1 and its dependent claims 2-8 under 35 U.S.C. 
§ 102(b) should be withdrawn. 

Amended claim 9 recites, in part, " 

retrieving the stored revoked certificate data from the central location; 

comparing a user certificate data included in a user certificate 
included in a user request to the stored revoked certificate data, said user 
request being received from a user; 

authenticating the user if the comparing indicates that the user 
certificate data matches the revoked certificate data in the central location; 

providing the user access to the requested web service when the user 
is authenticated; 

identifying an address of each of the one or more certificate issuers from the 
retrieved revoked certificate data; 

if the comparing indicates that the user certificate data from the 
requested user certificate does not match the revoked certificate data stored 
in the central location: 
authenticating the user; 

providing the user access to the requested web service; 

identifying another address from the user certificate data included with the request, 
said address identifying the location of revoked certificate data for a plurality of revoked 
certificates being maintained by at least one of the plurality of certificate issuers; 

storing the another address in the central location for subsequent 

retrieval...". 

For at least the reasons above, Applicants respectfully submit that the rejection of claim 9 
and its dependent claim 10 under 35 U.S.C. §102(b) should be withdrawn. 

Amended claim 1 1 recites, in part, "an authentication server responsive to the client 
request for executing a certificate revocation provider component, said certificate revocation 
provider component loading the revoked certificate data in the central database into a memory 
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associated with the authentication server, and wherein the certificate revocation provider 
component is responsive to the client request and loaded revoked certificate data to determine if 
the client request is authentic based on a match of the client request and the stored revoked 
certificate data, wherein, if a match of the client request and the stored revoked certificate 
data is not found, the authentication server authenticates the user, and wherein the 
certificate revocation provider component identifies an address from the user certificate 
data included with the client request, said address identifying the location of revoked 
certificate data for a plurality of revoked certificates being maintained by at least one of 
the plurality of certificate issuers; and wherein the certificate revocation provider 
component stores the address in the central database for subsequent retrieval by the 
fetching server." 

For at least the reasons above. Applicants respectfully submit that Xu fails to disclose or 
suggest each and every element of amended claim 1 1 . Hence, the rejection of claim 1 1 and its 
dependent claim 12-16 under 35 U.S.C. § 102(b) should be withdrawn. 

Amended claim 17 recites, in part, " a central database responsive to the retrieved 
revoked certificate status data for storing a list of revoked certificates, wherein the fetching 
server identifying a address from a user certificate data included in a client request for the 
stored the list of revoked certificates if it is determined that there is no match between the 
user certificate data and retrieved certificate status data, said address identifying the 
location of revoked certificate data for a plurality of revoked certificates being maintained 
by at least one of the plurality of certificate issuers, and wherein the central database stores 
the address in the central location for subsequent retrieval." 

For at least the reasons above, Applicants submit that Xu fails to disclose or suggest each 
and every element of amended claim 17. Hence, the rejection of claim 17 under 35 U.S.C. 
§ 102(b) should be withdrawn. 

Amended claim 1 8 recites, in part, 

authenticating instructions for selectively authenticating the user if the 
comparing indicates that the user certificate data matches the revoked certificate 
data in the central location ; 

providing instructions for providing the user access to the requested web service 
when the user is authenticated; 
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if the comparing indicates that the user certificate data from the requested user 
certificate does not match the revoked certificate data stored in the central location: 
wherein the authentication instructions authenticate the user; 

wherein the providing instructions provide the user access to the requested 

web service; 

identifying instructions for identifying an address from the user certificate data 
included with the request, said address identifying the location of revoked certificate data 
for a plurality of revoked certificates being maintained by at least one of the plurality of 
certificate issuers; and 

wherein the storing instructions store the address in the central location for 

subsequent retrieval. 

For at least the reasons above, Applicants respectfully submit that the rejection of claim 
18 and its dependent claim 19-21 under 35 U.S.C. §102(b) should be withdrawn. 
Amended claim 22 recites, in pertinent part, 

" comparing instructions for comparing a user certificate data included in a user 
certificate included in a user request to the stored revoked certificate data, said user 
request being received from a user; 

authenticating instructions for authenticating the user if the comparing indicates 
that the user certificate data matches the revoked certificate data in the central location ; 

providing; instructions for providing the user access to the requested web service 
when the user is authenticated; 

identifying instructions for identifying an address of each of the one or more 
certificate issuers from the retrieved revoked certificate data; 

if the comparing indicates that the user certificate data from the requested user 
certificate does not match the revoked certificate data stored in the central location: 

wherein the authenticating instructions authenticate the user; 

wherein the providing instructions provide the user access to the requested web 
service; 

wherein the identifying instructions identify another address from the user 
certificate data included with the request, said address identifying the location of revoked 
certificate data for a plurality of revoked certificates being maintained by at least one of 
the plurality of certificate issuers; 

wherein the storing instructions store the another address in the central location for 
subsequent retrieval . 

For at least the reasons above, Applicants respectfully submit that the rejection of claim 
22 under 35 U.S.C. § 102(b) should be withdrawn. 

Conclusion 

Applicants submit that the claims are allowable for at least the reasons set forth herein. 
Applicants thus respectfully submit that claims 1-22 as presented are in condition for allowance 
and respectfully request favorable reconsideration of this application. 
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Although the prior art made of record and not relied upon may be considered pertinent to 
the disclosure, none of these references anticipates or makes obvious the recited aspects of the 
invention. The fact that Applicants may not have specifically traversed any particular assertion 
by the Office should not be construed as indicating Applicants' agreement therewith. 

Applicants wish to expedite prosecution of this application. If the Examiner deems 
the application to not be in condition for allowance, the Examiner is invited and 
encouraged to telephone the undersigned to discuss making an Examiner's amendment to 
place the application in condition for allowance. 

The Commissioner is hereby authorized to charge any deficiency or overpayment of any 
required fee during the entire pendency of this application to Deposit Account No. 19-1345. 

Respectfully submitted, 
/TAN-CHI YUAN/ 

Tan-Chi Yuan, Limited Recognition No. L01 13 

SENNIGER POWERS 

One Metropolitan Square, 16th Floor 

St. Louis, Missouri 63102 

(314) 231-5400 
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